DOA for IoT at ITU-T Study Group 20: Dead on Arrival, or Return of the Living Dead?

Last week, US Senior White House Adviser Kellyanne Conway earned a caustic scoff from the Internet in response to a comment she had made on the threat of surveillance from hacked microwave ovens. Late night television hosts, Wired magazine, and Twitter users alike pounced on Conway for her ostensibly ludicrous remark. But while it’s true that you won’t find many microwaves equipped with cameras, Conway wasn’t entirely wrong. The exposing power of the Internet of Things (IoT)—the sheer wealth of personal data that IoT systems collect, store, and use—is certainly concerning. The technical work currently being developed on IoT, particularly in Internet standardization bodies, has potential implications for human rights that we must consider.

The Telecommunication Standardization Sector of the International Telecommunications Union (ITU-T) is one of these bodies. A UN specialized agency, the ITU-T is mandated to develop international standards for the infrastructure of information and communication technologies (ICTs). Back in November, ARTICLE 19 attended the proceedings of WTSA-16, during which the work program of the ITU-T over the next four years was established. This month, we attended the first ITU-T Study Group 20 (SG20) meeting of the new study period, held March 13-23, 2017 in Dubai. One of the 11 current study groups tasked with carrying out the technical work decided by the WTSA, SG20 is responsible for developing non-binding Recommendations (otherwise known as standards), technical papers, and supplementary resources on the subject of the Internet of Things and Smart Cities and Communities (IoT and SC&C).

At the end of WTSA-16, we highlighted the major issues of concern that emerged over the course of the meeting, including the thwarted push to support the problematic Digital Object Architecture (DOA) framework. During the recent SG20 meeting, DOA cropped up yet again—this time, in the context of IoT identification.

A fundamental principle of IoT is interconnectedness: through the coordination of many devices of different types that are connected through the Internet, the rich data collected from them is analyzed to provide services that would not have been possible with only one device. Ensuring that these devices are uniquely identifiable is then a crucial factor of this coordination. Enter: DOA.

As we’ve noted previously, the DOA Handle System is a shadowy, proprietary technology that suffers from a lack of transparency. The collection and control of information that can be gleaned through object identification has implications for individuals’ privacy and personal data. The identification of Internet-connected objects may lead to the identification of their users, from their movement offline to their habits and interests online. The more identifiable objects that we possess, the more personal information may be aggregated about us. And much like a mosaic, the combination of data from different sources may synergistically reveal new information that would not have been apparent from the separated data points. The implementation of a centralized global registry of IoT devices like the Handle System would exacerbate this kind of dangerous data gathering.

With so little information on this technology, we only have more questions. How would this data be secured? Which entities or national governments would have access to this data? Without transparent, multi-stakeholder oversight, the information gathered by such an identification system could be captured by certain state or corporate interests, potentially granting the extrajudicial power to monitor the physical locations and digital activities of individuals. Such a dynamic would perpetuate a chilling effect on freedom of association and freedom of expression. Moreover, creating a hierarchical identification system that’s distinct from the Domain Name System (DNS) we already use to locate and identify connected services and devices would facilitate fragmentation of the Internet. Entities controlling this alternate system would be able to block access to content and restrict the free flow of information, stifling our right to it.

Several Member States within the ITU have been nevertheless committed to developing Recommendations for ICTs that are directly and explicitly based on DOA. During the SG20 meeting, several contributions to ongoing drafts and proposals for new Recommendations have posited DOA as the solution to a startling range of IoT identification issues, from combating device counterfeiting to managing drones. By hurdling straight towards the creation of standards based on DOA, the ITU-T risks overlooking crucial steps in standards development: conducting studies and producing technical reports that would include test cases explicating the use and benefit of DOA and the Handle System. Claims that DOA-based systems would be secure and would protect the privacy and free expression of Internet users are not enough. Without any evidence of the security and privacy impacts of DOA, we are concerned by the persistent efforts to create ITU-T Recommendations that would enable its implementation.

Civil society must be engaged in these developments. DOA is likely to be revisited at the next SG20 meeting in September. Though the ITU-T is not a multi-stakeholder body that is typically open to civil society, concerned NGOs can hold their national government representatives accountable and raise awareness of the positions that national delegations take on the technical work being carried out within the ITU. Global Partners Digital has just started an informative blog series describing how the ITU works, and it’ll include ways in which civil society can engage with ITU processes as the current study period progresses.

Should we be worried about spying microwave ovens? Probably not. But that doesn’t mean we shouldn’t keep a watchful eye on how IoT is developing as an issue of Internet governance.